[tune2john]

Hi

I recently had some problems with unwanted website opening up. I scanned through adaware but found no malware. I updated to latest version (9.0.5) Then Adaware was able to detect and delete the following


Removed items:
Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0
Description: *overture* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408834 Family ID: 0


However, even after the deletion, I still get the same unwated website opening up. When I run adaware again the same detection & deletion occurs but the issue is still there. Could you help me out here?

I'm attaching the log here.
 adaware.txt   39.88KB   115 downloads
Regards,
John

[Advertisements]

Hello tune2john and welcome to the G2G Form.
I'm RedCar92 and my name is Bill, I'll be glad to help you with your computer problems.

• Please observe these rules while we work:
• Read the entire procedure
• It is important to perform ALL actions in sequence.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Stick with me till you're given the all clear. Malware removal can be stressful but we will clean it.
• Remember, absence of symptoms does not mean the infection is all gone.
• Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort.
This may cause a delay, but I will do my best to keep it as short as possible.

Please bear with me, I will post back to you as soon as I can.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperative and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

These tools MUST be run from the executable. (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")
Stay with this topic until I give you the all clean post.

Thanks
Bill
In Training at WTT Classroom

[redcar92]

Hello tune2john and welcome to the G2G Form.
I'm RedCar92 and my name is Bill, I'll be glad to help you with your computer problems.

• Please observe these rules while we work:
• Read the entire procedure
• It is important to perform ALL actions in sequence.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Stick with me till you're given the all clear. Malware removal can be stressful but we will clean it.
• Remember, absence of symptoms does not mean the infection is all gone.
• Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort.
This may cause a delay, but I will do my best to keep it as short as possible.

Please bear with me, I will post back to you as soon as I can.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperative and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

These tools MUST be run from the executable. (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")
Stay with this topic until I give you the all clean post.

Thanks
Bill
In Training at WTT Classroom

[tune2john]

Thanks Bill, I'll wait for your instructions.

[redcar92]

Hello tunes2john
Please do the following:

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
  Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

Next

• DPlease download aswMBR ( 511KB ) to your desktop.
• Double click the aswMBR.exe icon to run it
• Click the Scan button to start the scan
• On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Logs to post:

• OTL.txt
• Extras.txt
• aswmbr.txt

Thanks
Bill
In Training at WTT Classroom

[tune2john]

Hi Bill

I was able to run the OTL and here are the logs:
 OTL.Txt   63.83KB   213 downloads
 Extras.Txt   31.25KB   150 downloads

However while running the aswMBR.exe the system just stopped abruptly showing a blue scree saying it had encountered an error and restarted on its own. Should I try running the aswMBR once again?

Regards,
John.

[tune2john]

Attaching the system error here:

[redcar92]

Hello John
Try running ASWmbr again.
If is still won't run, try this:
Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
  
  
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
• Save it where you can easily find it, such as your desktop, and include it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Also when posting logs, please copy/paste the results into you post, it make analysis much easier for us.

Thanks
Bill
In Training at WTT Classroom

[tune2john]

Hello Bill,

I was unable to run the ASWmbr agaian as the system gave the same blue screen error and rebooted.

I then ran the GMER you've mentioned. Here's the log of the same:
GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-05-04 11:57:52
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST9160821AS rev.3.CDE
Running: gmer.exe; Driver: C:\DOCUME~1\admin\LOCALS~1\Temp\pxtdypog.sys


---- System - GMER 1.0.15 ----

SSDT 89DCF3A8 ZwAlertResumeThread
SSDT 89B8B1B8 ZwAlertThread
SSDT 89BDFDE8 ZwAllocateVirtualMemory
SSDT 89C04E68 ZwConnectPort
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA91887E]
SSDT 89B7DC00 ZwCreateMutant
SSDT 89BE49D0 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB9FF3CB0]
SSDT 89B5D2F0 ZwFreeVirtualMemory
SSDT 89B7D9A0 ZwImpersonateAnonymousToken
SSDT 89DCF3E0 ZwImpersonateThread
SSDT 89C0D008 ZwMapViewOfSection
SSDT 89B7DEB8 ZwOpenEvent
SSDT 89B82338 ZwOpenProcessToken
SSDT 89B83638 ZwOpenThreadToken
SSDT 89BE6D10 ZwQueryValueKey
SSDT 89B90E80 ZwResumeThread
SSDT 89B59540 ZwSetContextThread
SSDT 89B830E0 ZwSetInformationProcess
SSDT 89D43428 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB9FF3F10]
SSDT 89B6D0D0 ZwSuspendProcess
SSDT 89D46910 ZwSuspendThread
SSDT 89B820B0 ZwTerminateProcess
SSDT 89D43500 ZwTerminateThread
SSDT 89B5F9B8 ZwUnmapViewOfSection
SSDT 89BDF548 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C08 80504494 4 Bytes CALL 16DA0296

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\Google Talk\googletalk.exe[2360] USER32.dll!GetLastInputInfo + 13 7E419507 4 Bytes [10, 3C, 6D, 01]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3000] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Tata Photon+\Huawei\Tata Photon+.exe[3148] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 0045B9D0 C:\Program Files\Tata Photon+\Huawei\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Tata Photon+\Huawei\Tata Photon+.exe[3148] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 0045BA30 C:\Program Files\Tata Photon+\Huawei\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Tata Photon+\Huawei\Tata Photon+.exe[3148] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 0045B8C0 C:\Program Files\Tata Photon+\Huawei\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Tata Photon+\Huawei\Tata Photon+.exe[3148] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 0045B810 C:\Program Files\Tata Photon+\Huawei\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Tata Photon+\Huawei\Tata Photon+.exe[3148] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 0045B990 C:\Program Files\Tata Photon+\Huawei\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Tata Photon+\Huawei\Tata Photon+.exe[3148] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 0045B850 C:\Program Files\Tata Photon+\Huawei\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Tata Photon+\Huawei\Tata Photon+.exe[3148] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 0045B900 C:\Program Files\Tata Photon+\Huawei\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Tata Photon+\Huawei\Tata Photon+.exe[3148] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 0045B880 C:\Program Files\Tata Photon+\Huawei\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Tata Photon+\Huawei\Tata Photon+.exe[3148] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 0045B940 C:\Program Files\Tata Photon+\Huawei\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Tata Photon+\Huawei\Tata Photon+.exe[3148] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 0045B7D0 C:\Program Files\Tata Photon+\Huawei\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

[redcar92]

Hello John
Excellent, good news, no rootkit.
Please do the following
Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A window will open on your desktop
• if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
• Please post the contents of that file.

Thanks
Bill
In Training at WTT Classroom

[tune2john]

Hello Bill,

Here's the output:
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000fc

Kernel Drivers (total 137):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBADA8000 \WINDOWS\system32\KDCOM.DLL
0xBACB8000 \WINDOWS\system32\BOOTVID.dll
0xBA779000 ACPI.sys
0xBADAA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xBA768000 pci.sys
0xBA8A8000 isapnp.sys
0xBA8B8000 ohci1394.sys
0xBA8C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBACBC000 compbatt.sys
0xBACC0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBAE70000 pciide.sys
0xBAB28000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA8D8000 MountMgr.sys
0xBA749000 ftdisk.sys
0xBADAC000 dmload.sys
0xBA723000 dmio.sys
0xBAB30000 PartMgr.sys
0xBA8E8000 VolSnap.sys
0xBA70B000 atapi.sys
0xBA8F8000 disk.sys
0xBA908000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xBA6EB000 fltMgr.sys
0xBA6D9000 sr.sys
0xBA918000 Lbd.sys
0xBA6C2000 KSecDD.sys
0xBA635000 Ntfs.sys
0xBA608000 NDIS.sys
0xBA5EE000 Mup.sys
0xBAA68000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBAB98000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xBA571000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBABA0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA549000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA508000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xBAA78000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA4F4000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xBAA88000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBABA8000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBABB0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBAA98000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBABB8000 \SystemRoot\system32\drivers\Afc.sys
0xBAAA8000 \SystemRoot\System32\Drivers\cdrbsdrv.SYS
0xBAAB8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBAAC8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA4D1000 \SystemRoot\system32\DRIVERS\ks.sys
0xBABC0000 \SystemRoot\system32\drivers\InCDPass.sys
0xBAAD8000 \SystemRoot\system32\drivers\InCDRm.sys
0xBABC8000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xBAD78000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xBAD7C000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xBA3D8000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xBAFF9000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBAAE8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBAD80000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xBA3C1000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBAAF8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBAB08000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBABD0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xBA3B0000 \SystemRoot\system32\DRIVERS\psched.sys
0xBAB18000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBABD8000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBABE0000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA2E0000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA938000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBADC6000 \SystemRoot\system32\DRIVERS\swenum.sys
0xBA282000 \SystemRoot\system32\DRIVERS\update.sys
0xBAD9C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBABF0000 \SystemRoot\system32\DRIVERS\btport.sys
0xBA202000 \SystemRoot\system32\drivers\btaudio.sys
0xBA1DE000 \SystemRoot\system32\drivers\portcls.sys
0xBA948000 \SystemRoot\system32\drivers\drmk.sys
0xBA958000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA968000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBADCA000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA098000 \SystemRoot\system32\drivers\sthda.sys
0xBA002000 \??\C:\Program Files\Symantec AntiVirus\savrt.sys
0xB9FE0000 \??\C:\Program Files\Symantec\SYMEVENT.SYS
0xB9FCC000 \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys
0xBAC18000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB9E10000 \SystemRoot\system32\DRIVERS\OEM02Dev.sys
0xBADD8000 \SystemRoot\system32\DRIVERS\OEM02Vfx.sys
0xBAE1C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBAF16000 \SystemRoot\System32\Drivers\Null.SYS
0xBAE28000 \SystemRoot\System32\Drivers\Beep.SYS
0xBAC88000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBAC98000 \SystemRoot\System32\drivers\vga.sys
0xB9B37000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xBAE40000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBAE4A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB9DA2000 \SystemRoot\System32\Drivers\InCDrec.SYS
0xB9AFB000 \SystemRoot\system32\drivers\InCDFs.sys
0xBAB68000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBAB70000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA4B1000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB9AE8000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB9A8F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB9A54000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0xB9A2E000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA350000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB9A06000 \SystemRoot\system32\DRIVERS\netbt.sys
0xBA340000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB99E4000 \SystemRoot\System32\drivers\afd.sys
0xBA330000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB9982000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
0xB9957000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB98E7000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA320000 \SystemRoot\System32\Drivers\Fips.SYS
0xB9889000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xB986C000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xBA978000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB9854000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBAE68000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA084000 \SystemRoot\System32\drivers\Dxapi.sys
0xBAB90000 \SystemRoot\System32\watchdog.sys
0xBF9C3000 \SystemRoot\System32\drivers\dxg.sys
0xBAED3000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB9330000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB8E0F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB8CE2000 \SystemRoot\system32\drivers\wdmaud.sys
0xB9064000 \SystemRoot\system32\drivers\sysaudio.sys
0xB882A000 \SystemRoot\system32\DRIVERS\srv.sys
0xB80E1000 \SystemRoot\System32\Drivers\HTTP.sys
0xB7CC7000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110504.002\navex15.sys
0xB7CB3000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110504.002\naveng.sys
0xB853E000 \??\C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
0xB7B0A000 \SystemRoot\system32\DRIVERS\ewusbdev.sys
0xB7AC5000 \SystemRoot\system32\DRIVERS\ewusbmdm.sys
0xBAC80000 \SystemRoot\System32\Drivers\Modem.SYS
0xBACB0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xB7C93000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xB79CF000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 56):
0 System Idle Process
4 System
636 C:\WINDOWS\system32\smss.exe
716 csrss.exe
740 C:\WINDOWS\system32\winlogon.exe
788 C:\WINDOWS\system32\services.exe
800 C:\WINDOWS\system32\lsass.exe
956 C:\WINDOWS\system32\svchost.exe
1036 svchost.exe
1076 C:\WINDOWS\system32\svchost.exe
1100 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
1160 svchost.exe
1208 svchost.exe
1344 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1408 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1556 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
1692 C:\WINDOWS\explorer.exe
1784 C:\WINDOWS\system32\spoolsv.exe
1804 C:\WINDOWS\system32\svchost.exe
1960 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
1984 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
2004 C:\WINDOWS\system32\bgsvcgen.exe
128 C:\Program Files\Symantec AntiVirus\DefWatch.exe
244 C:\WINDOWS\system32\inetsrv\inetinfo.exe
116 C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
524 C:\Program Files\Java\jre6\bin\jqs.exe
676 C:\WINDOWS\system32\stacsv.exe
692 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
1148 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
1528 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
1256 C:\WINDOWS\system32\svchost.exe
2068 C:\Program Files\Nero\Nero 7\InCD\InCD.exe
2096 C:\PROGRA~1\SYMANT~1\VPTray.exe
2104 C:\WINDOWS\OEM02Mon.exe
2120 C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
2128 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
2276 C:\Program Files\Google\Google Talk\googletalk.exe
2304 C:\Program Files\gAlwaysIdle\gidle.exe
2324 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
2368 C:\Program Files\iTunes\iTunesHelper.exe
2416 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2428 C:\WINDOWS\system32\ctfmon.exe
2468 C:\DOCUME~1\admin\LOCALS~1\Temp\AutoDetect.exe
2524 C:\Program Files\Symantec AntiVirus\DoScan.exe
2624 C:\Program Files\ZTE Wireless Terminal\bin\MonServiceUDisk.exe
2692 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
2700 C:\Program Files\Panasonic\PHOTOfunSTUDIO 4.0 HD\AutoStartupService.exe
2708 C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
3232 unsecapp.exe
3460 wmiprvse.exe
3488 C:\Program Files\iPod\bin\iPodService.exe
3728 alg.exe
448 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
1176 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
4080 C:\Program Files\Giganology\Gigaget\Gigaget.exe
2332 C:\Documents and Settings\admin\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000009`c3dcd400 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000017`31999c00 (NTFS)

PhysicalDrive0 Model Number: ST9160821AS, Rev: 3.CDE

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

[redcar92]

Hello John
***Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.***
Download Combofix from any of the links below. Save it to your desktop.

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Bill
In Training at WTT Classroom

[tune2john]

Hello Bill,

I ran the combofix as you mentioned. Here's the report of the same:
ComboFix 11-05-05.01 - admin 05/06/2011 5:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.997 [GMT 5.5:30]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\admin\Application Data\avdrn.dat
c:\documents and settings\admin\cbzvl.exe
c:\documents and settings\admin\GoToAssistDownloadHelper.exe
c:\documents and settings\admin\WINDOWS
c:\windows\system32\Cache
.
.
((((((((((((((((((((((((( Files Created from 2011-04-06 to 2011-05-06 )))))))))))))))))))))))))))))))
.
.
2011-04-28 19:52 . 2011-04-26 00:00 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-27 23:24 . 2011-04-26 00:00 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-04-27 23:24 . 2011-04-27 23:24 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-27 22:50 . 2011-04-27 22:50 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\Sunbelt Software
2011-04-27 22:48 . 2011-04-27 22:48 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{91EC863D-D912-4466-91CC-9489A4A2ADD3}
2011-04-27 22:48 . 2011-04-27 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-04-27 22:48 . 2011-04-27 22:48 -------- d-----w- c:\program files\Lavasoft
2011-04-13 22:40 . 2011-04-13 22:40 4284416 -c--a-w- c:\windows\system32\GPhotos.scr
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 16:26 . 2011-05-01 13:14 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-01-02 11:31 . 2010-11-01 23:06 53248 -c--a-w- c:\program files\mozilla firefox\components\GigagetComponent.dll
.
.
------- Sigcheck -------
.
[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-10 40048]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-06-19 195072]
"Gigaget"="c:\program files\Giganology\Gigaget\GigagetShell.exe" [2006-02-07 495616]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"gidle"="c:\program files\gAlwaysIdle\gidle.exe" [2008-01-07 49152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-31 271672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
.
c:\documents and settings\admin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-5-17 568176]
PHOTOfunSTUDIO 4.0 HD Edition.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO 4.0 HD\AutoStartupService.exe [2010-2-12 146264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-03-10 09:15 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2006-03-07 08:32 53408 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Giganology\\Gigaget\\Gigaget.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\admin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/28/2011 4:54 AM 64512]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [4/26/2011 5:30 AM 2146496]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/25/2011 10:50 PM 102448]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [12/13/2010 2:07 PM 100736]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [4/26/2011 5:30 AM 15232]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2010 11:52 PM 135664]
S2 UDisk Monitor;UDisk Monitor;c:\program files\ZTE Wireless Terminal\bin\MonServiceUDisk.exe [2/11/2010 9:41 PM 266240]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2010 11:52 PM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 7:34 AM 115952]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\ztemtusbser.sys [2/11/2010 9:41 PM 104320]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-26 15:37]
.
2011-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 18:22]
.
2011-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All by Gigaget - c:\program files\Giganology\Gigaget\getallurl.htm
IE: &Download by Gigaget - c:\program files\Giganology\Gigaget\geturl.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\033zl1e8.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-06 05:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(748)
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
.
Completion time: 2011-05-06 05:37:57
ComboFix-quarantined-files.txt 2011-05-06 00:07
.
Pre-Run: 15,108,878,336 bytes free
Post-Run: 15,437,594,624 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - B95CADA10D9CCD3C17D182990F6312A2

[redcar92]

I forgot to ask, how is your PC behaving now please?
Thanks
Bill
In Training at WTT Classroom

[tune2john]

Bill,

Yes I was waiting for sometime to test if there are any browser redirects happening before sending this update.

I'm pleased to say after the last step (combofix) the browser redirects have stopped. Looks like its been fixed now. Can we be certain of that?

Regards,
John.

[redcar92]

You are making good progress, more to come soon.
Thanks
Bill
In Training at WTT Classroom